Partiful, the trendy event planning app that's become the go-to replacement for Facebook Events, just patched a serious privacy vulnerability that could have exposed users' exact locations. The $27 million startup was inadvertently sharing GPS coordinates embedded in profile photos - revealing everything from home addresses to workplace locations for anyone savvy enough to check the image metadata.
Partiful has been riding high as the cool alternative to Facebook Events - Google even crowned it the best app of 2024. But the startup's rapid ascent hit a privacy speed bump this week when TechCrunch discovered the app was leaking users' precise locations through their profile photos.
The vulnerability was surprisingly straightforward. Using basic browser developer tools, anyone could access raw profile photos stored on Partiful's Google Firebase backend and extract embedded GPS coordinates showing exactly where those images were captured. For some users, that meant revealing home addresses or workplace locations down to within a few feet.
TechCrunch reporters Zack Whittaker and Amanda Silberling tested the flaw themselves, uploading a profile photo taken outside San Francisco's Moscone West Convention Center. The image's precise coordinates remained intact on Partiful's servers, confirming the security gap.
This isn't just a technical oversight - it's a fundamental privacy issue that most platforms solve automatically. Companies like Meta, Google, and Apple routinely strip metadata from uploaded images to prevent exactly this kind of exposure. The practice has become so standard that Partiful's oversight raises questions about the startup's security processes.
The timing couldn't be more awkward for Partiful, which has faced scrutiny over its founders' backgrounds. Co-founders Shreya Murthy and Joy Tao previously worked at Palantir, the data mining company that powers ICE's deportation database. Some New York promoters have even boycotted the app over these connections, making privacy missteps particularly damaging.
After TechCrunch reached out Friday with evidence of the vulnerability - including a Manhattan resident's precise address extracted from their profile photo - Partiful co-founder Joy Tao acknowledged the issue was "already on our team's radar." The company initially planned a fix for "next week" but accelerated the timeline after reporters emphasized the severity.
By Saturday, Partiful had patched the vulnerability and stripped GPS data from existing photos. The company disclosed the incident in a brief Twitter statement shortly before TechCrunch's story published.
"We regularly perform security reviews with experts in the field," spokesperson Jess Eames told TechCrunch, though the company declined to name these experts or confirm whether it conducted security audits before launching. The response suggests Partiful may need to strengthen its security practices as it scales.
The incident highlights broader tensions in the app ecosystem around data collection and privacy. Partiful has evolved from a simple event planning tool into what TechCrunch describes as "a powerful Facebook-like social graph," mapping users' friends, activities, locations, and phone numbers. With that data comes responsibility.
For Partiful's investors, including Andreessen Horowitz, the privacy slip represents the kind of operational risk that can derail promising startups. The company has raised over $27 million since 2022, riding the wave of users fleeing Meta's increasingly algorithmic approach to social features.
Eames said the company found "no evidence" of unauthorized access to user photos, but acknowledged the investigation was ongoing. Without detailed logs, it's difficult to determine if bad actors exploited the vulnerability before the fix.
The swift fix shows Partiful can respond quickly to security issues, but the fundamental oversight raises questions about the startup's preparation for handling sensitive user data at scale. As event planning apps become more sophisticated social platforms, users deserve the same privacy protections they'd expect from established tech giants. For a company with Palantir DNA and $27 million in funding, basic metadata stripping should have been table stakes from day one.
